Enable Defender For Storage malware scanning using ARM template.

Denys Bielov 25 Reputation points
2024-05-29T10:34:05.5533333+00:00

I have this resource definition:

//Defender For Storage
        {
            "type": "Microsoft.Security/DefenderForStorageSettings",
            "apiVersion": "2022-12-01-preview",
            "name": "current",
            "scope": "[resourceId('Microsoft.Storage/storageAccounts', parameters('storageAccountName'))]",
            "properties": {
                "isEnabled": true,
                "malwareScanning": {
                    "onUpload": {
                        "capGBPerMonth": "[parameters('capPerMonth')]",
                        "isEnabled": true
                    }
                    "scanResultsEventGridTopicResourceId": "[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/', resourceGroup().name, '/providers/Microsoft.EventGrid/topics/', parameters('eventGridTopicName'))]"
                },
                "sensitiveDataDiscovery": {
                    "isEnabled": true
                },
                "overrideSubscriptionLevelSettings": true
            },
            "dependsOn": [
                "[resourceId('Microsoft.Storage/storageAccounts', parameters('storageAccountName'))]"
            ]
        },

It does enable Defender for Storage and Sensitive Data Discovery, but does not enable onUpload malware scanning. What is the issue with it?
User's image

Microsoft Defender for Cloud
Microsoft Defender for Cloud
An Azure service that provides threat protection for workloads running in Azure, on-premises, and in other clouds. Previously known as Azure Security Center and Azure Defender.
1,250 questions
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Anushka 320 Reputation points
    2024-05-29T10:41:26.11+00:00

    Hey, I hope you're doing well.

    The issue with your JSON resource definition is a missing comma that separates the properties within the malwareScanning object. In JSON, each key-value pair must be separated by a comma. Here’s the corrected version of your JSON resource definition:

    {
    "type": "Microsoft.Security/DefenderForStorageSettings",
    "apiVersion": "2022-12-01-preview",
    "name": "current",
    "scope": "[resourceId('Microsoft.Storage/storageAccounts', parameters('storageAccountName'))]",
    "properties": {
        "isEnabled": true,
        "malwareScanning": {
            "onUpload": {
                "capGBPerMonth": "[parameters('capPerMonth')]",
                "isEnabled": true
            },
            "scanResultsEventGridTopicResourceId": "[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/', resourceGroup().name, '/providers/Microsoft.EventGrid/topics/', parameters('eventGridTopicName'))]"
        },
        "sensitiveDataDiscovery": {
            "isEnabled": true
        },
        "overrideSubscriptionLevelSettings": true
    },
    "dependsOn": [
        "[resourceId('Microsoft.Storage/storageAccounts', parameters('storageAccountName'))]"
    ]
}

    The missing comma should be placed after the onUpload object:

    {
    "onUpload": {
        "capGBPerMonth": "[parameters('capPerMonth')]",
        "isEnabled": true
    },
    "scanResultsEventGridTopicResourceId": "[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/', resourceGroup().name, '/providers/Microsoft.EventGrid/topics/', parameters('eventGridTopicName'))]"
}

    Without the comma, the JSON is invalid, and this causes the malwareScanning property to be improperly parsed, preventing the onUpload malware scanning from being enabled correctly.

    After adding the comma, the JSON should work as expected, enabling the onUpload malware scanning along with the other specified settings. I hope this helps you. Have a good time.